Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.
The Control Matrix (definition):
A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant controls plans.
Assessing the effectivenes of control desing is required to comply with SOX Section 404.
Step 1: Specify Control Goals:
The flowchart and narrative should be reviewed to become familiar with the system under examination. Identify the following: the businss process, the relevant resources, the input, the storage for the input data (i.e. cash disbursements event data, cash receipts event data), and the master data that the input is updating.
Identify operations process control goals:
Effectiveness goals - Describe measures of sucess for the operations process. Different processes have different effectiveness goals. For Lenox’s cash receipts process we include only two examples here:
– A — Timely deposit of checks
– B — Comply with compensating balance agreements with the depository bank
– Other possible goals of a cash receipts would be shown as goals C, D, and so forth, and described at the bottom of the matrix (in the matrix legend).
Efficiency goals - The purpose of efficiency control goals of the operations process is to ensure that all resources used throughout the business process are being employed in the most productive manner. Primarily focused in our discussions on the people and computers.
Security Goals - The purpose of security control goals is to guard the resources of the business against loss, destruction, misuse, etc. These are meant to manage risks identified in the enterprise risk-management process. Also inportant in todays business environment in the security of information. There have been many well publicized examples of lost stolen or misplaced data tapes and files which can result in significant cost and liability to the companies and individuals involved. Identity theft is a major concern for businesses in the current environment.
Identify information process goals:
Input goals for all data entry (validity "IV" , completeness "IC", and accuracy "IA")
Update goals (update completeness "UC" and update accuracy "UA"), if the process is periodic -
Update goals must consider all related information that will be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure:
• The update completeness (UC)
• Update accuracy (UA)
Step 2: Recommend Control Plans:
I. The objective is to identify the control plans that should be implemented to accomplish the control objectives. Annotate present and missing controls on the systems flowchart - This is done by starting on the top left-hand column of the systems flowchart and following the process identifying process-related symbols that relect a present internal control plan and describe how each control addrsses each noted goal. Missing controls are Identified and evaluated after present control plans are reflected on the control matrix.
present, mark with a (P-1 through P-n)
missing, mark with a (M-1 through P-n)
II. Evaluate the present control plans -List P-1 through P-n and the name of the control plan in the left-hand column of the control matrix. For each control plan, place the corresponding P-x under each control goal the plan addresses and describe how the the plan relates to the goal or goals.
III. Identify and evaluate missing control plans
Examine control matrix to determine whether there are any control goals for which no control plan exists.
Evaluate and analyze the systems flowchart for further risk exposures for which you would recommend adding additional controls or strengthening existing controls.
Generic Control Plans:
Input Plans (Manual Input) 295-300
Three essential input controls are:
PREFORMATTEDSCREENS - Control the entry of data by defining the acceptable format of each data field. efficient employment of resources and input accuracy "IA"
ONLINE PROMPTING - Requests user input or asks questions that the user must answer. efficient employment of resources and input accuracy "IA"
PROGRAMMED EDIT CHECKS - Automatically performed by data entry programs upon entry of the input data. efficient employment and security of resources and input accuracy "IA" and validity "IV"
(Secure, Valid, Input & Update Complete, Input and Update Accurate)
One-to-one checking
(Secure, Valid, Input & Update Complete, Input and Update Accurate)
Correct Errors/Input Plans
Key-in corrections
Accuracy
Record Input Plans
Provide feedback
Completeness
Automated record input
Effective and Efficient
Automatic updating
Effective, Effecient, Valid, Input & Update Accurate
Controls in Action: Here is a web page that lists the internal controls used by Arizona State University's Administrative and Finance Department, separated by the various accounting processes. This looks to be a very detailed list, but is there anything missing? http://www.asu.edu/audit/Internal%20Controls.htm#top
For the accounts payable cycle the controls do not include the fact that invoices must be checked for authorization before payment. Also invoices must always be compared to purchase orders and shipping documents. From the list of controls these controls were not explicitly mentioned.
Cash receipts - The person depositing the money, should be segregated from the person doing the cash reconciliation and the the person posting the entry to the GL. A mandatory vacation plan of at least two weeks at a time for this person should also be in place.
Compensation Change - Here is a link to a Word document that shows the flow chart and control table. It was created in Visio and describes the shapes and custom properties. It looks pretty interesting. SAMPLE OF **BUSINESS PROCESS** AND **CONTROLS** DOCUMENTATION
Auditors and Audit Evaluations of Controls: Here is a control matrix not formatted like the ones we are using, but still effective for auditors to determine their procedures to evaluate internal control. In this matrix, the first column shows the control goals of company management, the next column shows the activities and processes used to complete that objective, and the third column shows the audit procedures that the auditor will use to test the controls. http://www.dcaa.mil/sap/LABR-Internal_Control_Matrix.pdf
Controlling Information Systems: Business Process Controls
In this chapter we learn how to analyze narratives and system flowcharts and begin to ANALYZE our documentation of business process for controls that exist or are missing. For missing controls, implementation should proceed next (assuming benefits of these controls exceed the exposure risk). For existing controls, we still need to determine if they are opeating as expected, or if they need to be corrected, and lastly we need to determine if we have too many overlapping controls in place, thus creating possible costs that exceed the benefits.The Control Matrix (definition):
A tool designed to assist in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant controls plans.Assessing the effectivenes of control desing is required to comply with SOX Section 404.
Here is an article about risk and control matrices and how they provide a comprehensive tool for internal auditors.---> http://www.allbusiness.com/accounting-reporting/auditing/204358-1.html
Here is an article regarding Section 401 of Sarbanes Oxley describing risk/control matrices --> http://www.sarbanes-oxley.com/displaysection.php?level=2&pub_id=IC-Primer&chap_id=IC4&message_id=206
This link explains a little more about mapping internal controls for the control matrix, it explains more with quantifying the controls, but is still a good reference to read for the different types of controls:
http://www.internalcontrolsdesign.co.uk/matrices/
Steps in Preparing the Control Matrix:
Step 1: Specify Control Goals:The flowchart and narrative should be reviewed to become familiar with the system under examination. Identify the following: the businss process, the relevant resources, the input, the storage for the input data (i.e. cash disbursements event data, cash receipts event data), and the master data that the input is updating.
Identify operations process control goals:
- Effectiveness goals - Describe measures of sucess for the operations process. Different processes have different effectiveness goals. For Lenox’s cash receipts process we include only two examples here:
– A — Timely deposit of checks– B — Comply with compensating balance agreements with the depository bank
– Other possible goals of a cash receipts would be shown as goals C, D, and so forth, and described at the bottom of the matrix (in the matrix legend).
Identify information process goals:
- Input goals for all data entry (validity "IV" , completeness "IC", and accuracy "IA")
- Update goals (update completeness "UC" and update accuracy "UA"), if the process is periodic -
Update goals must consider all related information that will be affected by the input data, including master file data and ledger data. For the business process input data, the purpose of update control goals of the information process is to ensure:• The update completeness (UC)
• Update accuracy (UA)
Step 2: Recommend Control Plans:
I. The objective is to identify the control plans that should be implemented to accomplish the control objectives. Annotate present and missing controls on the systems flowchart - This is done by starting on the top left-hand column of the systems flowchart and following the process identifying process-related symbols that relect a present internal control plan and describe how each control addrsses each noted goal. Missing controls are Identified and evaluated after present control plans are reflected on the control matrix.
- present, mark with a (P-1 through P-n)
- missing, mark with a (M-1 through P-n)
II. Evaluate the present control plans -List P-1 through P-n and the name of the control plan in the left-hand column of the control matrix. For each control plan, place the corresponding P-x under each control goal the plan addresses and describe how the the plan relates to the goal or goals.III. Identify and evaluate missing control plans
Generic Control Plans:
Controls in Action: Here is a web page that lists the internal controls used by Arizona State University's Administrative and Finance Department, separated by the various accounting processes. This looks to be a very detailed list, but is there anything missing? http://www.asu.edu/audit/Internal%20Controls.htm#top
For the accounts payable cycle the controls do not include the fact that invoices must be checked for authorization before payment. Also invoices must always be compared to purchase orders and shipping documents. From the list of controls these controls were not explicitly mentioned.
Cash receipts - The person depositing the money, should be segregated from the person doing the cash reconciliation and the the person posting the entry to the GL. A mandatory vacation plan of at least two weeks at a time for this person should also be in place.
Compensation Change - Here is a link to a Word document that shows the flow chart and control table. It was created in Visio and describes the shapes and custom properties. It looks pretty interesting. SAMPLE OF **BUSINESS PROCESS** AND **CONTROLS** DOCUMENTATION
Auditors and Audit Evaluations of Controls: Here is a control matrix not formatted like the ones we are using, but still effective for auditors to determine their procedures to evaluate internal control. In this matrix, the first column shows the control goals of company management, the next column shows the activities and processes used to complete that objective, and the third column shows the audit procedures that the auditor will use to test the controls. http://www.dcaa.mil/sap/LABR-Internal_Control_Matrix.pdf